Step-by-Step guide to audit active directory changes using “Directory Service Changes” auditing
As Administrator/Engineer it is important to audit the object access on the infrastructure to identify security issues, problems etc. it also helps to troubleshoot this issues.
In windows folder or a file access can audit using audit object access policy. Same way the audit directory service access policy allows to audit access attempts to object in active directory. This is enable by default and configured to audit the “Success Events”. But there are few disadvantages on this.
1) Difficulties of finding the attribute changes
2) Impossible to know the old value of an attribute
To overcome this issue windows server 2008 adds an auditing category called “Directory Service Changes”. With this we can simply identify the old and new attributes values.
It is not enabled by default and needs to activate manually.
1) Log in to the domain controller as Domain admin or Enterprise admin.
2) Load powershell console with admin rights.
3) Type auditpol /set /subcategory:"directory service changes" /success:enable and press enter.
4) In order to test the auditing, I already have usera and userb added to the Domain admins group. I am going to remove usera from the group and check the auditing.
5) To check the log entries go to Event viewer > Windows Log > Security
6) As per below we can see the detail description including,
- What type of change
- At what type it was triggered
- What is the new value
- Which group it is
As we can see it gives great deal of information which can use in troubleshooting, auditing.
If you have any question about the post feel free to contact me on email@example.com